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Abstract. In this paper we study a class of dynamical systems generated 
by iterations of multivariate polynomials and estimate the degree growth of 
these iterations. We use these estimates to bound exponential sums along the 
orbits of these dynamical systems and show that they admit much stronger 
estimates than in the general case and thus can be of use for pseudorandom 
number generation. 
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1. Introduction 

Given a system of r polynomials T — {/o, . . . , /r-i} in t variables over a ring 
one can naturally define a dynamical system generated by its iterations: 

!f^ = ^^, /,P = /f~')(/o,...,/.-i), fc = 0,l,... , 

for each i = 0, . . . , r - 1, see [2 E H El [IHl [H [H [26l H [42l |43l |44] and 

references therein for various aspects of such dynamical systems. It is also natural 
to consider the orbits obtained by such iterations evaluated at a certain initial value 

0, • ■ • J Mfc,r-l)- 

In the special case of one linear univariate polynomial over a residue ring or 
a finite field such iterations, known as linear congruential generators, have been 
successully used for decades in the theory of Quasi Monte Carlo methods, see 

[Ml- 

Unfortunately, in cryptographic settings, such linear generators have been suc- 
cessfully attacked [HI [191 (211 [29l [3T] and thus deemed unusable for cryptograpic 
purposes. It should be noted that nonlinear generators have also been attacked [H 
[3 [211 [21] , but the attacks are much weaker and do not rule out their use for cryp- 
tographic purposes (provided reasonable precausions are made). Although linear 
congruential generators have been used quite sucessfully for Quasi-Monte Carlo 
methods, their linear structure shows in these applications too and often limits 
their applicability, see [551155] . 

Motivated by these potential applications, the statistical uniformity of the dis- 
tribution (measured by the discrepancy) of one and multidimensional nonlinear 
polynomial generators have been studied in [201 |571 HOI SIl [H]. However, all 
previously known results are nontrivial only for those polynomial generators that 
produce sequences of extremely large period, which could be hard to achieve in 
practice. The reason behind this is that typically the degree of iterated polynomial 
systems grows exponentially, and that in all previous results the saving over the 
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trivial bound has been logarithmic. Furthermore, it is easy to see that in the one di- 
mensional case (that is, for r = 1) the exponential growth of the degree of iterations 
of a nonlinear polynomial is unavoidable. One also expects the same behaviour in 
the mulitidimensional case for "random" polynomials /o,...,/r-i- However, for 
some specially selected polynomials /o, . . . , /r-i the degree may grow significantly 
slower. 

Indeed, here we describe a rather wide class of polynomial systems with poly- 
nomial growth of the degree of their iterations. As a result we obtain much better 
estimates of exponential sums, and thus of discrepancy, for vectors generated by 
these iterations, with a saving over the trivial bound being a power of p. Our con- 
struction resembles that of triangular maps of |33j but behaves quite differently; 
for example, triangular maps in |33j have the fastest possible degree growth. 

We remark that in the case of the so-called inversive generator rather strong 
estimates are also available [381 139] , but this generator involves a modular inversion 
at each step which is a computationally expensive operation. Another alternative 
where stronger than general bounds are known is the power generator which essen- 
tially consists of iterating a monomial map X X^, see [SI [HI [171 Ull US] and 
especially the recent result of J. Bourgain [6] on the joint distribution of consec- 
utive terms of this generator. Similar results also hold for pseudorandom number 
generators obtained by iterating Dickson polynomials |23| and Redei functions |25j . 

Finally, we note that we also hope that our results may be of use for some 
applications in polynomial dynamical systems. 

2. Polynomial Dynamical System with Slow Degree Growth 

2.1. Construction. Let F be an arbitrary field of characteristic p > m (or of 
zero characteristic) and let J- ^ {/o, . . . , /,„} be a system of m -I- 1 polynomials in 
F[Xo, . . . , Xm] defined in the following way: 

foi^o, ■ ■ ■ , Xjyi) — Xogo{Xi, . . . , Xm) + ho{Xi, . . . , Xm), 

fl{Xo, . . . ,Xm) — Xigi{X2, ■ ■ ■ ,Xm) + hi{X2, ■ ■ ■ ,Xm), 

(1) 

fm-l{XQ, . . . , Xm) — Xm-igm-l{Xm) + hm-l{Xm), 
fm{Xo, . . . , Xm) = aXm + b, 

where 

a,be¥, a ^ 0, gt, hi e ¥[Xi+i, . . . , Xm], z = 0, ...,m-l. 

We also impose the condition that each polynomial gi has unique leading monomial 
X-^l'^^ . . . Xm'"", that is, 

(2) gi{Xi+i, . . . , Xm) — X^^'j^^ . . . X^j''" + gi{Xi+i, . . . , Xm), 

where 



(3) 



deg^i < deggt = Si^t+i + . . . + Si^m 
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and 

(4) deg hi < deg gi 

for i = 0, . . . , TO — 1. 

For each i — 0, . . . ,m we define the fc-th iteration of the polynomials fi by the 
recurrence relation 

(5) -/^'^(/o,...,/™), fc = 0,l,.... 

2.2. Degree Growth. We denote by dk,i the degree of the polynomial f^'^^ i = 
0, . . . , TO. We also consider the vector of degrees of the iterations 

dfe = {dk,o ■ ■ ■ , dk,m), 
and the upper triangular matrix 







so.i 


S0,2 • 




s = 





1 


Si, 2 • 











. 


■ 1 / 



given by the exponents of the leading monomials in fi, i = 0, . . . , m. We observe 
that under iterations we have 

Ak) _ Ak-1) jAk-1) fC^-i)^ + /i-rfC^-i) f(k-i)\ 

i — 0, . . . ,m — I, 

and using the conditions on the degrees of the polynomials gi and hi we get 
dk,i = dk-i,i + Si^i+idk-i,i+i + . . . + Si^mdk-i,7m z = 0, . . . , m — 1, 

dk^m — 1- 

Using the above notations, the degrees of the iterations satisfy the relation 

dfe = 5dfc_i, A: > and d_i = (1, . . . , 1)* 
which is equivalent to writing 

(6) dfe = 5'=+i(l...,l)*, fc>0. 

We now show that the degrees of the iterations of grow polynomially. 

Lemma 1. Let fo, ■ ■ ■ , fm G ^[Xq, . . . , Xj^] be as in ([1]), satisfying the condi- 
tions 1^, ([3]) and (ID). Then the degrees of the iterations of J- — {/o, ■ ■ ■ , fm} grow 
as follows 

dk,i = 7 — '^—r:k"'^'sii+i...Sm-i,ni + fpiik), i = 0,...,m-l, 

dk.m — li 

where ipiiT) G Q[T] is a polynomial of degree degipi < m — i. 
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Proof. We use induction on m. For m = 1 one can easily see that we get 

dk,o = fcso,i + so,i + 1 and dk,i = 1. 

We assume the resuh true for m indeterminates. Let S be the matrix of exponents 
of the leading monomials in J- as above. We write S in the following way 

where R is the matrix given by the exponents of the first m indeterminates in the 
leading monomials of /i, i = 0, . . . , to — 1, and s = (so,m, ■ • ■ , Sm-i,m)- For a vector 
V € we use v* and to denote the transpose and the ith component of v, 
respectively. We also denote by e the unit vector e = (1, . . . , 1) e F™. Using these 
notations and recalling ([5]), we obtain 

{R'' + ... + R + /)s*' 
1 



Componentwise, we have 

dk,r - {R''+'e')^ + {{R'' + ... + R + I)s')^, z = 0,...,m-l, 

dk.m f- 

It is easy to note that the maximal degree of the fc'^'-iteration of polynomials /; for 
any i is given by the last position in each row of S'^^^ . Using this remark and the 
induction hypothesis we get 

{R^S^)i = ; --j™"-^"*Si i+i . . . Sm-2,m-lSm-l,m + '^iij), 

(to — 1 — zj! 

for some polynomials (pi{Z) G Q[Z] of degree degipi < to — 1 — i. Then 

V(i?^s*), = -s,,,+i...s™_i,™ Vj""'"* + ^^(fe), 

(to — 1 — I ! ■'^ 

for some polynomials (pi{Z) G Q[Z] of degree deg [pi < m — i. As 

k 

y^r-'-' = :(B,n-^{k + 1) - S™-.(0)), 

where Bm-i is the Bernoulli polynomial of degree m — i (which has the leading 
coefficient equal to 1), we finally obtain the desired result. □ 

Corollary 2. Let /q, . . . , /,„ G F[Xo, . . . ,X„i\ be as in satisfying the condi- 
tions (O and If Sq i . . . Sjn-i.m 7^ 0, then for any integer v > I there 
is a constant kg depending only on the matrix S and v such that for any integers 
ki,£i, . . . ,k^,£^ > ko and any nonzero a ~ (ao, . . . , flm-i) G IF'"; 

m — 1 ly 
i=0 i=\ 
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is a nonconstant polynomial of degree 

degFa,fe„,„...,fc,.,„ =0(fc"), 

where 

k = maxj/ci, £i, . . . , /c^, 
unless the components of the vectors 

{ki...,k^) and {£i...,£„) 
are permutations of each other. 

Proof. Let io be the smallest integer with Oig ^0. Performing all trivial cancel- 
lations, without loss of generality we can also assume that the vectors (fci . . . , /c^) 
and (£i . . . , £,y) have no common elements. Thus the largest element amongst them 
k, is unique. It is now clear from Lemma[T]that the leading term of f^^^"^ is present 
in -Fa,fci,£i,...,fc„,^„- □ 

3. POLYNOMIAL PSEUDORANDOM NUMBER GENERATORS 

3.1. Construction. Let !F = {/o, •■•,/»«} be a list of rn + 1 polynomials in 
¥p[XQ, . . . , Xm] defined as in section 2. Wc consider the sequence defined by a 
recurrence congruence modulo a prime p of the form 

(7) Un+l,t = fi{Unfl,...,Un,m) (T^odp), n = 0,l,..., 

with We also assume that < Un.i < p, i = 

0, . . . , TO, n = 0, 1, . . .. Using the following vector notation 

and 

^ = (/o(-''^0, ■ • • , Xjn), . . • , fm{XQ, . . . , Xm)), 

we have the recurrence relation 

Wn+l = .F(Wn). 

In particular, for any n, fc > and i = 0, . . . , m we have 

^n-^-k,! — fi^ (^n.O? ■ • ■ 7 '^n,m) 

or 

Clearly the sequence of vectors Wn is eventually periodic with some period T < 
Without loss of generality we assume that it is 

Wn+T = w„, n = 0, 1, . . . . 

In our construction of pseudorandom sequences, we discard the last component in 
the vectors Wn and denote 

— ('^^71,05 ■ ■ ■ ) Wn,m— l) 

which we show to be rather uniformly distributed provided T is large enough. 
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3.2. Exponential Sums. Wc put 

e{z) = cxp(27riz/p). 

Our second main tool is the Weil bound on exponential sums (see [32j Chapter 5]) 
which we present in the following slightly generalized form. 

Lemma 3. For any nonconstant polynomial F G Fp[Xo, . . . , Xm] of total degree D 
we have the bound 

p 

^ e{F{xo,...,x^)) < Dp 



,in+l/2 



We follow the scheme previously introduced in [371 [3S]. Furthermore, as it has 
been suggested in [41[ 145] . we work with higher moments of the corresponding 
exponential sums. However the polynomial growth of the degree allows us a much 
more favorable choice of parameters and thus leads to a better estimate than in 
previous works. 

Assume that the sequence {u„} generated by ([7|) is purely periodic with an 
arbitrary period T. For an integer vector a = (ao, . . . , flm-i) G ^™ we introduce 
the exponential sum 



n=Q \ i=0 / 

Theorem 4. Let the sequence {u„} be given by ([7]), where the family of m + 1 
polynomials T = {/o, . . • , fm} G ^p[Xo, . . . , Xm] of total degree d > 2 is of the 
form satisfying the conditions ([2]), ([3]) and ([4]), and such that So,i • ■ • Sm-i,m 7^ 
0. Assume that {u„} is purely periodic with period T . Then for any fixed integer 
V >1, and any positive integer N < T, the hound 

max |S'a(A^)| = O (p"™- A^i^/^™,.) 

gcd(ao,...,o„_i,p) = l 



holds, where 



2m? + 2mv + 2m 



and 



Avijn + v) 

and the implied constant depends only on d, m and v. 



1 

2^ 



Proof. Select any a = (ag, . . . , a„i_i) G Z™ with gcd(ao, . 
obvious that for any integer fc > 1 we have 



i,p) 



1. It is 



n=0 



< 2k. 



Let fco be the same as in Corollary [51 Therefore, for any integer K > ko, 
(8) {K-ko + l)\S^{N)\<W + K^, 
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where 



W 



N-l K /m-l 
n=0 k=ko \ i=0 



N-1 
n=0 



K /m-l ^ 

^ e I ^ aiUn+k,i 

k=ko \ i=0 y 



As before, we define the sequence of polynomials 

fi''^ i^O, ■ ■ ■ , Xm) e ¥p[Xo, . . . ,Xn 

by dSl). Tlicn 



7V-1 



^2. < ^2.-1 ^ 



Tl = 



a: /m-l 



k—kn \ i—0 



K 



K /m-l \ 

^ e I ^ a^fl^^ (wo, • ■ • 1 



2v 



(m-l 1/ 
i=0 j=l 

For 0(i4:'') vectors 

{ki...,ky) and 

which are permutations of each other, we estimate the inner sum trivially as p™~^^. 

For the other 0{K^'') vectors, we combine Corollary [2] with Lemma [3] getting 
the upper bound is:™p™+i/2 for the inner sum for at most K sums. Hence, 

W^'^ < N'^'^^^p'^^^ + ^'m+2iy^2i/-l^m+l/2^ 

Inserting this bound in ([8]), we derive 

Se,{N) = O |^ii:-l/2^1-l/2i'p(m+l)/2i. _^ ^m/2i/^l-l/2i/p(2m+l)/4i/ _^ ^ 

Choosing 



K = 



l/2(m+i/) 



(and assuming that p is large enough, so X > fco), after simple calculations we 
obtain the desired result. □ 



Since 



lim am,u/PmM = 171+ 1/2 



we see from Theorem |4] that for any fixed e > there is there 6 > such if 

T>N> p™+i/2+e then 



max \S^{N)\^0{N 

gcd(ao,...,a„„i,p) = l 



l-<5\ 
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(to see this it is enough to choose a sufhciently large i^). On the other hand, when 
T and N are close to their largest possible value that is, if 

Theorem |4] applied with v = I gives the estimate 

|^a(iV)| <7Vl-l/4(™+l)^+o(l). 



max 

gcd(ao,...,a„_ 



3.3. Discrepancy. Given a sequence F of points 
(9) r={(7„,o,...,7«,™-i)L~o} 

in the m-dimensional unit cube [0, 1)™ it is natural to measure the level of its 
statistical uniformity in terms of the discrepancy A(r). More precisely, 

Tr{B) 



A(r) 



sup 

SC[0,1) 



N 



\B\ 



where Tr {B) is the number of points of T inside the box 

B=[ai,Pi) X ... X [a„„(3„,) C [0,1)™ 

and the supremum is taken over all such boxes, see [131 130j . 

We recall that the discrepancy is a widely accepted quantitative measure of 
uniformity of distribution of sequences, and thus good pseudorandom sequences 
should (after an appropriate scaling) have a small discrepancy, see [3S1 . 

Typically the bounds on the discrepancy of a sequence are derived from bounds 
of exponential sums with elements of this sequence. The relation is made explicit in 
the celebrated Koksma-Sziisz inequality^ see |13l Theorem 1.21], which we present 
it in the following form. 

Lemma 5. For any integer L > 1 and any sequence T of N points ^ the discrep- 
ancy A(r) satisfies the following bound: 

( , ...... \ 

i 1 ^ 1 

L 



A(r) < o 



V 



N ^ 

|ao|,...,|am- 
a?, + ...+ai, 



n 



i\<L j=0 
-,>0 



N-1 



n=0 



exp 



2TTi > aj7j_„ 



3=0 



Now, combining Lemma [S] with the bound obtained in Theorem 0] and taking 
L — p — I we obtain: 

Theorem 6. Let the sequence {u„} be given by ([7]), where the family of m + 1 
polynomials T = {/o, . . . , /m} G ]Fj,[Xo, . . . , Xm\ of total degree d > 2 is of the 
form ll]), satisfying the conditions ^ and jl]), and such that so,i • ■ . Sm-i,m ^ 
0. Assume that {u„} is purely periodic with period T. Then for any fixed integer 
v >1, and any positive integer N < T, the discrepancy Dn of the sequence 



Un,0 
P 



0, 



,iV-l, 
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satisfies the bound 
where 

2m? + 2rav + 2ra + v jo ^ 

Av[m + v) Iv 
and the implied constant depends only on d, m and v. 



We remark that the same comments at the end of Section 13.21 also apply to 
Theorem [HI 



4. Remarks and Open Questions 

We recall that the dynamical degree dyndeg T of the polynomial system T and 
of the associated afSne map : F'' ^ F*" is defined as 

dyndeg J- = lim (degJ^^*^)) , 

where T'^'^^ is the fcth iteration of (and deg J^*^*^^ is the largest degree of its com- 
ponents), see [ini Section 7.1.3]. We note that the polynomial systems T which 
we have constructed in ^ satisfy dyndeg = 1 under the conditions (l2|), Q 
and Furthermore, for any nonlinear polynomial system J- with dyndeg JF = 1 
one can obtain an improvement of the generic bounds on the corresponding expo- 
nential sums and the discrepancy of the generated sequences. However the actual 
improvement depends on the speed of the convergence. 

One of the attractive choices of polynomials ([T]), which leads to a very fast 
pseudorandom number generator is 

gi{Xi+i, . . . , Xm) = Xij^i and hi{Xij^i, . . . , Xm) — a; 

for some constants ai iE¥p,i — 0,...,m — l. The corresponding sequence of vectors 
is generated at the cost of one multiplication per component. This naturally leads to 
a question of studying the periods of such sequences generated by such polynomial 
dynamical systems. 

We also note that it is natural to consider joint distribution of several consecutive 
vectors 

(U„, . . . ,Un+s-l) , n = 0, 1, . . . , 

in the sm-dimensional space. It seems that our method (with some minor adjust- 
ments) can be applied to derive an appropriate variant of Corollary [2] which is 
needed for such a result. 

One of the possible ways to improve our results, is to construct special polyno- 
mials J- = {/o, . . . , fr-i} such that linear combinations of their iterations, of the 
type which appear in the proof of Theorem HI satisfy the condition of the Deligne 
bound [12 , that is, have a nonsingular highest form. In fact even some partial 
control over the dimension of the singularity locus of this highest form may already 
lead to better estimates via results of Katz (28j . 
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Finally, obtaining stronger results "on average" over all initial values wo G F™+-'^ 
is an interesting and challenging question. It is possible that some of the arguments 
of [39j may be applied to this problem. 
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